New Year’s Eve 2021 will be far more social than last year’s (we can hope)… but for all the good times, there is the danger of overindulgence and regrettable antics.
Fittingly then, New Year’s Eve 2021 is now the day on which FIPPA’s COVID-19 related data residency exemptions are set to expire and, unless we exercise care and moderation now, we are likely to wake up on January 1, 2022 with (an even worse) headache and perhaps some regrets.
Let’s back up and take a few lines to provide some background on FIPPA’s data residency requirements and the COVID-19 related data residency exemptions referred to above. If you can hang on until the end, we’ll finish up with some practical steps to consider implementing now, to avoid waking up on New Year’s Day 2022 with the headache of 2021’s privacy law missteps.
British Columbia’s Freedom of Information and Protection of Privacy Act (commonly referred to as FIPPA) applies to public bodies (as opposed to PIPA, the Personal Information Protection Act, which applies to private sector organizations) and governs, in part, how public bodies are to collect, use, store and disclose personal information. One of FIPPA’s many privacy related requirements are the restrictions found at sections 30.1 and 33.1 of FIPPA, which in effect provide that public bodies are not allowed to disclose, store or access personal information outside of Canada except in certain, very limited circumstances.
The net effect of sections 30.1 and 33.1 is to require public bodies to select software providers who can commit to keeping data in Canada (except in narrowly defined, specific circumstances), or seek informed consent from every individual whose personal information is in the system (which in most cases is not practical). These are what we describe as data residency requirements.
Many international software providers, even those with a presence elsewhere in Canada, have not yet established data centres in Canada, and so public bodies in B.C. have struggled to procure modern software systems from the world’s leading software companies.
At the outset of the pandemic, public bodies were forced to switch to digital delivery modes almost overnight and, luckily, the market offered various, ready-made digital tools that made the transition to virtual delivery relatively smooth. However, many of those digital tools were from non-Canadian software providers, and involved collecting, using, storing and disclosing personal information outside of Canada.
So, on March 26, 2020, the Minister of Citizens’ Services issued Ministerial Order M085 (the Order), which temporarily relaxed FIPPA’s data residency requirements for health care and other public bodies. We say “relaxed”, because data residency requirements weren’t suspended; rather, the Order created additional exemptions to the data residency requirements under certain conditions. Since then, the Order has been extended three times, most recently on May 10, 2021 when it was extended to December 31, 2021. The provisions of the Order have not changed since it was originally made.
Temporary Exemptions for Data Residency Requirements
The Order essentially creates two temporary exemptions to FIPPA’s data residency requirements:
1. Exemption for Health Care Bodies
Under the Order, a health care body (as defined in FIPPA) may disclose personal information outside of Canada in accordance with sections 33.2 (a) and (c) of FIPPA, provided the disclosure is necessary:
- for the purposes of communicating with individuals respecting COVID-19,
- for the purposes of supporting a public health response to the COVID-19 pandemic, or
- for the purposes of coordinating care during the COVID-19 pandemic.
2. Exemption for Public Bodies (generally)
Of particular relevance to the non-Canadian digital tools conundrum, the exemption also permits all public bodies (not just health care bodies), such as educational bodies, to disclose personal information outside of Canada in accordance with sections 33.2 (a) and (c) of FIPPA through the use of third-party tools and applications, provided:
- the third-party tools or applications are being used to support and maintain the operation of programs or activities of the public body or public bodies,
- the third-party tools or applications support public health recommendations or requirements related to minimizing transmission of COVID-19 (e.g. social distancing, working from home, etc.), and
- any disclosure of personal information is limited to the minimum amount reasonably necessary for the performance of duties by an employee, officer or minister of the public body.
The Order defines “third-party tools and applications” to include any software developed and maintained by a third party, and which is used to enable communication or collaboration between individuals.
Despite these exemptions, public bodies must otherwise comply with FIPPA when collecting, using, and disclosing personal information, and the Order sets out certain steps a public body must take to ensure that privacy is protected while using third-party tools or applications.
Practical Steps to Avoid a New Year’s Day Headache (as least on the FIPPA front)
In this article our colleague, Jeff Holowaychuk, provided some tips and tricks for emerging from the pandemic with lasting remote work solutions. If implemented in a timely manner (i.e. well before New Year’s Eve) and broadly with respect to your organization’s third-party tools and applications (ie. not just to remote working tools but all third party software procured in response to the pandemic), the strategies outlined in the article can be equally effective in helping ensure you do not wake up on New Year’s Day tasked with figuring out whether your organization is still FIPPA compliant on the data residency front.
Most importantly, consider conducting a software audit to identify: (i) any third-party software your organization has procured since the pandemic hit, and (ii) the software you intend to continue using after pandemic restrictions have eased. For the software you will not continue using, make arrangements to transition away from those tools well before December 31st, ensuring that all personal information stored outside of Canada is removed/deleted in compliance with FIPPA, and for those tools you intend to keep using, determine which involve the storage, access and/or disclosure of personal information outside of Canada. You may need to speak with the software provider directly, and/or review your service agreements and the provider’s privacy/information security policies to answer this last question.
For those tools or applications that, without the benefit of the Order, do not comply with FIPPA’s data residency requirements, you may want to consider whether that provider has an option for in-Canada storage (and if so, renegotiate your existing agreement to provide for the Canadian option) or, if they do not have a Canadian option, whether obtaining consent is in the realm of possibility (note that FIPPA prescribes what this consent needs to look like, so be sure to review FIPPA’s consent requirements if you choose to go down this road).
If neither of the above apply, you may have to plan to formally terminate those agreements prior to December 31, 2021, ensure all personal information is returned/destroyed in compliance with FIPPA, and seek alternative tools and applications that comply with B.C.’s data residency requirements in the post-pandemic world (which requirements are, as it currently stands, the same data residency requirements that applied in the pre-pandemic world).
While you (and your Privacy and IT offices) may have rejoiced a little when the Order was extended earlier this month, it is a great reminder to start planning now for the return of B.C.’s data residency requirements in 2022. That way, you may be able to sleep in a little longer this coming New Year’s Day, after what we hope will also be the return of the great New Year’s Eve celebrations we all missed New Year’s Eve 2020.